Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

I need to produce a license report by index that includes retention period

morphis72
Path Finder
‎03-22-2019 07:58 AM

I need to build a monthly report that shows average daily usage for charge-back purposes. I have sorted out how to give them everything they are asking for except for the data retention. They want me to include a column in the report that shows what indexes are 30, 93, 180 or 365 days of retention.

How would I go about adding that information?

This is my search so far:

earliest=-30d@d latest=@d index=internal source=license_usage.log type=Usage idx="" |
eval date=strftime(_time, "%Y%m%d") |
stats sum(b) as sum by idx, date |
eval GB = sum/1024/1024/1024 |
chart avg(GB) as "Average Daily - GB", max(GB) as "Monthly Peak - GB" by idx |
rex field=idx "^.?(?\d+)_(?\d+)$"

0 Karma
Reply

FrankVl
Ultra Champion
‎03-22-2019 08:27 AM

Add the following to your current search:

join type=left idx [
| rest /services/data/indexes 
| rename title as idx 
| eval retention_period = frozenTimePeriodInSecs / (3600*24) 
| table idx,retention_period
]
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...